Main menu

NETWORKING

Information Security's Real Threat: Oversharing

Too much sharing and too little risk and security management are bad for business, especially among SMBs.

With great power comes great responsibility.

It's a safe bet Voltaire wasn't thinking of Facebook when he wrote those words, but it's a useful warning for businesses now enjoying the growing clout of social media. Reaching thousands of customers by dashing off a quick sentence and hitting 'Share' is both great and powerful -- but too much sharing without enough risk management can be bad for business.

In a move to ease regulations on financing for startups and small businesses, on July 10 the SEC ruled that qualified firms seeking private investments are allowed to advertise publicly for the first time. This follows an April 2 SEC announcementthat companies can now use the Internet and social media to announce key information under specific conditions, an action banned previously out of concern that not all shareholders had equal access to digital channels like Twitter or Facebook.

Loosening restrictions on the use of social media to communicate company information is a plus for smaller businesses. It can cost virtually nothing to use Facebook or Twitter. But don't overlook the hidden costs: the risk of public, messy missteps. Whether your account is breached using your password or through the social network's own security gaps, or an employee posts something inappropriate, resolving the issue sucks up time and can damage your corporate brand.

First, here's the quick answer to controlling your IT security on social networks: You can't. Social media by definition is outsourced, so you're at the mercy of these providers' information security practices.

The best way to reduce the chance of getting hacked is to make sure that employees in charge of corporate social media accounts use complex passwords, and then control physical access to these passwords. It sounds painfully obvious, yet the three most common passwords in 2012were "password," "123456" and "12345678."

Social media is just the latest flavor of a longstanding struggle that bedevils growing companies: How do you balance protecting corporate information with getting things done? Information security is particularly tough for SMBs, which often go from one crisis to the next because they don't have a systematic approach to IT business risk and information security.

There are two main areas to think about: compliance and business risk. Compliance applies not only to government regulations, but also to things like contracts with customers and suppliers and to your own internal policies, such as what you do with the data you collect online. And IT, marketing and sales must share the same understanding of how data is collected and used. It is critical to remember that being compliant doesn't mean you are safe. Checking off boxes has not helped all those PCI-compliant companies that continue to experience data breaches.

Here are three practical steps for resource-strapped SMBs to manage compliance more effectively:

-- Use a systematic approach to understand all the compliance issues that matter to you. In ISACA's COBIT framework, for example, compliance is an attribute that is present throughout IT processes.

-- Look for ways that a single information security compliance policy will help you meet multiple requirements.

-- Apply automation tools as an easy way to reduce compliance costs.

But being compliant says little about managing IT-related risk to business objectives. Managing information security is a subset of managing IT-related business risk. It tends to get more attention because the consequences can be crippling.

But the encouraging news is that there are plenty of precedents for solid IT risk management practices that can inform a company's approach to information security. These three steps can help growing companies put good information security management into action:

-- Start with a conversation between business and IT. This will ensure that IT and security experts understand the business environment as well as the IT threat environment. For example, is the company planning to open a new facility or expand into a new legal jurisdiction?

-- Practice IT governance. Take advantage of free flexible frameworks such as COBITand tailor them to your situation. For small businesses, first steps tend to focus on perimeter security such as firewalls, penetration testing and access control.

-- Don't think of managing information security as just a technology play or a periodic controls audit. Make it a systematic process and you'll save on resources -- both staff and costs.

Information has never been so plentiful or easy to access. That's great news for SMBs, which can harness technologies like cloud and analytics and geolocation to engage customers online and compete with much larger companies. But companies that think they are too small to need information governance, or too nimble to be held back by information security safeguards are taking a big risk. Flexible frameworks provide more agility in making better business decisions.

Brian Barnier is principal analyst and advisor with ValueBridge Advisors and a risk advisor with nonprofit association ISACA, advising clients on finance, risk, legal, audit and IT issues. He is also the author of The Operational Risk Handbook for Financial Companies.

This sounds like sensible advice, but how feasible is it for SMBs, particularly on the smaller end of the scale, to start getting into frameworks? Especially if they don't have a dedicated security team, but instead have a few IT folks who do everything?

Hello, thanks for your comment; good observation. It sometimes helps to compare Info sec in an SMB to a neighborhood pizza parlor or local car repair shop. Following good process improves customer satisfaction and reduces cost for business and customer prices. A similar idea applies to "tiny box" retailers where each small store is highly similar. This is often one of the ways "little guys" compete with big guys who get tied up in process knots. While most processes in a framework are needed, it is helpful to realize the SMB is ALREADY doing all these -- just informally and prone to gaps that lead to ugly surprises. The key is tailoring to the SMB. Enjoy the pizza!

Social media and also file sharing is becoming an important part of business development and outreach for many companies. Proper security protocols combined with a good marketing strategy can help mitigate threats.